Security News

Senators ready bills to beef up cybersecurity

PCI was under fire today during a US House of Representatives subcommittee meeting.  If you didn’t watch the meeting while it was in progress or watch the tweets myself, Anton Chavukin and a few other security professionals were sending, you missed what will end up being a very important meeting for the future of PCI.  Our representatives asked some very pointed questions and both Robert Russo from the PCI Council and Joeseph Majka from Visa were put on the hot seat.  The representatives from Michaels and the National Retail Federation definitely were in an adversarial position to the PCI Council and the card brands.  It made for great spectator sport. 

The video’s supposed to be available soon, so if you’re interested in PCI, take a little while and watch this. It was only the opening round in what promises to be a very interesting set of meetings to determine the future of PCI. 

Do the Payment Card Industry Data Security Standards reduce Cybercrime?

Though Washington is busy touting an overhaul of health care’s record keeping, many health care organizations are independently making strides to “digitize” their operations and reduce their reliance on paper — and the couriering and mailing of medical records — in an effort to increase efficiency, accuracy and reduce costs.

Though Washington is busy touting an overhaul of health care’s record keeping, many health care organizations are independently making strides to “digitize” their operations and reduce their reliance on paper — and the couriering and mailing of medical records — in an effort to increase efficiency, accuracy and reduce costs.

After seeing Dan Kaminsky’s talk at Black Hat DC last month, I blogged about the benefits of DNS’ ability to scale to address big problems like asset management records. I’ve avoid talking about Conficker (except for yesterday) since it’s all over the media.

Why mention DNS and Conficker in the same post? All of the commotion about Conficker involves one variant’s activation of a new domain generation algorithm on 1 April. Until today no one had publicly announced the reverse engineering of the algorithm, but right now you can download a list of 50,014 domains that one Conficker variant will select from when trying to phone home starting 1 April. Some of the domains appear to be pre-empted:

$ whois aadqnggvc.com.ua% This is the Ukrainian Whois query server #B.% Rights restricted by copyright.%

% % .UA whois% Domain Record:% =============domain:     aadqnggvc.com.uaadmin-c:    CCTLD-UANICtech-c:     CCTLD-UANICstatus:     FROZEN-OK-UNTIL 20090701000000dom-public: NOmnt-by:     UARR109-UANIC (ua.admin)remark:     blocked according to administrator decisionchanged:    CCTLD-UANIC 20090320144409source:     UANIC

Others appear ready for registration:

~$ whois aafkegx.co.uk

    No match for "aafkegx.co.uk".

    This domain name has not been registered.

    WHOIS lookup made at 00:56:31 31-Mar-2009

Keep in mind that another 50,000 domains will be generated on 2 April, and so on. With such a big problem, what could we do to contain this malware?

OpenDNS is a possible answer:

OpenDNS has kept our users safe from Conficker for the past several months by blocking the domains it uses to phone home…

So here’s our update: OpenDNS will continue to identify the domains, all 50,000, and block them from resolving for all OpenDNS users. This means even if the virus has penetrated machines on your network, its rendered useless because it cannot connect back to the botnet.

That’s one advantage of outsourcing your Internet DNS to a third party. They have the resources to integrate the latest threat intelligence and the position to do something to protect users.

This is a great example of scalable infrastructure (DNS) vs large problems (Conficker).

Finally, you’ve probably heard about the Conficker Know Your Enemy paper and associated upgraded scanning tools, like Nmap 4.85BETA5 and the newest Nessus check. I can’t wait to see the results of tools like this. It could mark one of the first times we could fairly easily generate a statistic for the percentage of total assets compromised, similar to steps 8 and 9 from my 2007 post Controls Are Not the Solution to Our Problem. In other words, you can scan for Conficker and determine one score of the game — the percentage of hosts compromised by one or more Conficker variants. The question is, how long until those controlling Conficker update the code to resist these remote, unauthenticated scans?

Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

It’s not too often that we get an honest evaluation of the security of a corporate network let alone a government network.  But that’s exactly what David Bowen, the Federal Aviation Administration’s Assistant Administrator for Information Services and Chief Information Officer gave IT execs in Dallas last week.  In a very frank speech, he disclosed that the FAA has more Internet access points than they can manage, more systems than they can secure and generally a network that they know is insecure but don’t have the time and budget to do anything about. 

I doubt there are many security professionals that are surprised that the FAA network is insecure, but the sheer scope of what Mr. Bowen is facing is scary in the extreme.  They lost information on 45,000 employees in February and even though they deny that other systems, such as air traffic control, are affected, how can they know for certain when they have a network with so few security controls in place?  Unless there’s an air gap of some sort between the rest of the FAA systems and the air traffic control systems, the answer is they can’t.

This isn’t a rogue IT professional disclosing the dirty secrets of an organization, this is the CIO publicly admitting that he doesn’t have a handle on the security of his organization with full acknowledgment by his superiors.  You can read entire transcript of the speech on the FAA site, something you wouldn’t be able to do if the higher ups in the organization were trying to keep this from getting out.  To me that means that this isn’t just an admission of guilt, it’s a plea for help from Federal government to help supply the resources needed to secure his networks.

Statistically, flying is one of the safest ways to travel.  Usually when we hear about an airplane accident it’s because what happened was spectacular and unusual.  But if the FAA networks are really as insecure as Mr. Bowen is indicating, it’s not inconceivable that we could have a scene that looks like something out of a Die Hard movie at sometime in the not too distant future.  I don’t even think this is a case of crying wolf or exaggerating the potential consequences, I believe this a real threat we could face in the future if the FAA systems aren’t secured.

If you want a good place to spend TSA and Homeland Security money, I’m willing to bet securing the FAA network would be a lot better place to put it than making travelers take off their shoes when they’re trying to board a flight.  True, it wouldn’t be as flashy and noticable as taking away people’s pen knives and baby formula, but securing the computers that guide each and every flight taking place in the United States would save more lives than every shoe x-ray combined. 

The economic downturn may be playing rough with nearly every industry, but a few types of companies are proving resilient—one could even say reaping benefits—from the troubles others are facing.

Two types of products are likely to succeed in a market like this.

The first are staples, or products that provide people with some type of sustenance. These are the things people will need to stay alive, to keep their businesses afloat and survive the recession. Of course what naturally comes to mind as “staples” are food products, but even an industry like IT has its staples. And security is one of them –the companies that don’t maintain their basic security are likely to pay later on in lost employee time and resources, and maybe customer trust and loyalty too, after they’ve suffered a virus, malware or data loss. So, security is a basic preventative measure that’s needed even when wallets are tight.

A recent Ars Technica article points out that companies are trending toward unified security products, rather than dedicated firewalls, to fill the niche of their basic security. With systems facing continually more virulent threats like the Conficker worm, which are easy to prevent with basic updated software and security systems, companies may be seeing the light about the importance of basic security. But Ars isn’t sure—they’re holding out till IT Security companies’ revenue from the first quarter gets reported, to see if it matches last year’s improvements.

The second type of product that will do well in tough times are substitute or value products, which may have fewer features than their more expensive counterparts but can fill the same niche and get the basic job done. Interestingly, it looks like some open source products may be filling that role right now. A different Ars article reports that Red Hat, one of the most popular Linux distributors, is seeing a rather dramatic increase in revenue of 25% from 2007 to 2009.

Naturally “open source” projects as a whole aren’t going to all see the same results. An industry based around giving something away for free still needs a revenue-earning strategy to succeed in business. Red Hat found one; a few lonely Internet companies have found various markets; but as a whole, both the Web and open source industries are going to keep struggling until each company can find its niche in the market. The companies that do thrive by giving away something for free are usually using their free products as a loss leader to drive customers to other merchandise and filling a unique role for the industry.

One more example of successful open source company that matches that model is Digium, the IP-PBX company. Digium offers its Asterisk software free, but relies on purchases of its hardware solutions to run the system. Recently they also released a call center service and reportedly have been doing well through this recession.

So, it looks like there are still some bright points in the economy, at least for IT.

A blog reader posted the following comment to my post Network Security Monitoring Lives:

How do you use NSM to monitor the growing population of remote, intermittently connect mobile computing devices? What happens when those same computers access corporate resource hosted by a 3rd party such as corporate SaaS applications or storage in the cloud?

This is a great question. The good news is we are already facing this problem today. The answer to the question can be found in a few old principles I will describe below.

• Something is better than nothing. I’ve written about this elsewhere: computer professionals tend to think in binary terms, i.e., all or nothing. A large number of people I encounter think ‘if I can’t get it all, I don’t want anything.” That thinking flies in the face of reality. There are no absolutes in digital security, or analog security for that matter. I already own multiple assets that do not strictly reside on any single network that I control. In my office I see my laptop and Blackberry as two examples.

  Each could indeed have severe problems that started when they were connected to some foreign network, like a hotel or elsewhere. However, when the obtain Internet access in my office, I can watch them. Sure, a really clever intruder could program his malware to be dormant on my systems when I am connected to “home.” How often will that be the case? It depends on my adversary, and his deployment model. (Consider malware that never executes on VMs. Hello, malware-proof hosts that only operate on VMs!)

  The point is that my devices spend enough time on a sufficiently monitored network for me to have some sense that I could observe indicators of problems. Of course I may not know what those indicators could be a priori; cue retrospective security analysis.

• What is the purpose of monitoring? Don’t just monitor for the sake of monitoring. What is the goal? If you are trying to identify suspicious or malicious activity to high priority servers, does it make sense to try to watch clients? Perhaps you would be better off monitoring closer to the servers? This is where adversary simulation plays a role. Devise scenarios that emulate activity you expect an opponent to perform. Execute the mission, then see if you caught the red team. If you did not, or if your coverage was less than what you think you need, devise a new resistance and detection strategy.
• Build visibility in. When you are planning how to use cloud services, build visibility in the requirements. This will not make you popular with the server and network teams that want to migrate to VMs in the sky or MPLS circuits that evade your NSM platforms. However, if you have an enterprise visibility architect, you can build requirements for the sort of data you need from your third parties and cloud providers. This can be a real differentiator for those vendors. Visibility is really a prerequisite for “security,” anyway. If you can’t tell what’s happening to your data in the cloud via visibility, how are you supposed to validate that it is “secure”?

I will say that I am worried about attack and command and control channels that might reside within encrypted, “expected” mechanisms, like updates from the Blackberry server and the like. I deal with that issue by not handling the most sensitive data on my Blackberry. There’s nothing novel about that.

Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

I just watched the 60 Minutes story The Internet Is Infected. I have mixed feelings about this story, but I think you can still encourage others to watch and/or read it. Overall I think the effect will be positive, because it often takes a story from a major and fairly respected news source to grab the attention of those who do not operationally defend networks.

I’d like to outline the negative and positive aspects of the story, in my humble point of view.

The negative aspects are as follows:

1. I detest the term “infected.” Computers in 2009 are not “infected.” They are compromised by malware operated by a human with an objective. The malware is a tool; it is not the end goal. In the late 1990s I enjoyed defending networks because the activity I monitored was caused by a human, live on the Internet, whose very keystrokes I could watch. At the beginning of this decade I despaired as human action was drowned in a sea of malware that basically propagated but did little otherwise. Since the middle of the decade we have had the worst of both worlds; when I see malware I know there is a human acting through it for malicious purposes. I detest “infection” because the term implies we can apply some antiseptic to the wound to “clean it.” In reality the malware’s operator will fight back, resist “cleaning,” and maintain persistence.
2. Cue the “teenage hacker.” I thought we were collectively making progress away from the pasty-faced teenager in the parental basement. It seems the popular consciousness has now moved to the pasty-faced teenager in Russia, courtesy of 14-year-old “Tempest” in the 60 Minutes video. Never mind the organized crime, foreign intelligence, and economic espionage angles. Two other groups are definitely going to be upset by this: Chinese hackers and insider threats. Actually, not hearing a word about the latter makes me feel happy inside.
3. “I thought I had a good enough firewall.” GROAN. Hearing people talk about their firewalls and anti-virus was disheartening. I almost thought Vint Cerf was going to spill the beans on the easiest way to avoid Conficker when he said the following:

   I’ve been on the Net ever since the Net started, and I haven’t had any of the bad problems that you’ve described,” Cerf replied…

   Because I don’t use Windows! Say it Vint! Oh well.

The positive aspects are as follows:

1. Hello security awareness. Stories like this wake people up to the problems we face every day. Sure Conficker is just the latest piece of malware, definitely not “one of the most dangerous threats ever,” as said on TV. At the very least this story should enable a conversation between management and security operations.
2. Client-side exploitation via socially-engineered and social network attacks were demonstrated. Good for Symantec to show that Morley Safer owns Leslie Stahl via Facebook. Better yet, 60 Minutes even used the term “owned”!
3. Real consequences were demonstrated. I am very glad that Symantec showed just what an intruder can do to an owned computer. Keystroke logging, screen scraping, sensitive informatiomn retrieval, the works. They didn’t even mention opening and closing the CD tray or activating the Webcam. That would have been cool, though.

Expect a few questions about this tomorrow at work!

Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

One of the best places to be in almost any company is a job in or around their sales departments. Sales are a company’s lifeblood so those that can directly influence those sales usually enjoy higher pay and more job perks. However, nothing is for free right? So the trade-off is you typically have less job security and work longer hours. If you don’t bring in the numbers to meet your sales quota you’ll be out of the job before long. One thing you definitely can’t do is “coast” in a sales job. IT sales jobs are no exception to this rule.

Read more

Every once in a while I will post examples of why Network Security Monitoring works in a world where Webbed, Virtual, Fluffy Clouds abound and people who pay attention to network traffic are considered stupid network security geeks.

One of the best posts I’ve seen on the worm-of-the-week, Conficker, is Risk, Group Think and the Conficker Worm by the Verizon Security Blog. The post says:

With the exception of new customers who have engaged our Incident Response team specifically in response to a Conficker infection, Verizon Business customers have reported only isolated or anecdotal Conficker infections with little or no broad impact on operations. A very large proportion of systems we have studied, which were infected with Conficker in enterprises, were “unknown or unmanaged” devices. Infected systems were not part of those enterprise’s configuration, maintenance, or patch processes.

In one study a large proportion of infected machines were simply discarded because a current user of the machines did not exist. This corroborates data from our DBIR which showed that a significant majority of large impact data breaches also involved “unknown, unknown” network, systems, or data.

This my friends is the reality for anyone who defends a live network, rather than those who break them, dream up new applications for them, or simply talks about them. If a “very large proportion of systems” that are compromised are beyond the reach of the IT team to even know about them, what can be done? The answer is fairly straightforward: watch the network for them. How can you do that? Use NSM.

Generate and collect alert, statistical, session, and full content data. I’ve also started using the term transaction data to mean data which is application-specific but captured from the network, like DNS requests and replies, HTTP requests and replies, and so on. These five forms of data can tell you what systems live on the network and what they are doing. It is low-cost compared to the variety of alternatives (manual, physical asset control; network access control; scanning; etc.). Once a sensor is deployed in the proper place you can perform self-reliant (i.e., without the interference of other groups) NSM, on a persistent and consistent basis.

Where should you monitor? Watch at your trust boundaries. The best place to start is where you connect to the Internet. Make sure you can see the true source IP (e.g., a desktop’s real IP address) and the true destination IP (e.g., a botnet C&C server). If that requires tapping two locations, do it. If you can approximate one or the other location using logs (proxy, NAT, firewall, whatever), consider that, but don’t rely only on logs.

NSM lives, and it is working right now.

Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

On-Demand Webinar > Watch it now!SPONSORED BY: NortelWatch this FREE on-demand webinar to get an easy and cost-effective strategy for migrating to Unified Communications.Hear how to migrate to UC w…

I have been diving into Lean Six Sigma at EMC lately.  Lean Six Sigma is like many of the quality programs that have existed over the years (I have a history in Total Quality Management).  The thing I like about EMC’s approach is that you look at your process and get rid of non-value add steps first and then you optimize your process to make sure that it is effective…

Issue

The pwn2own bug that Nils discovered at CanSecWest 2009 and the XSLT vulnerability recently made public by Guido Landi (http://www.securityfocus.com/bid/34235) are both critical issues that can result in malicious code execution.

Impact

These issues can be exploited by tricking a user into visiting a malicious web page hosting the exploit code. The pwn2own bug can be mitigated by disabling JavaScript.

Status

Both issues have been investigated and fixes have been developed which are now undergoing quality assurance testing. These fixes will be included in the upcoming Firefox 3.0.8 release, due to be released by April 1. You can follow our work in bugzilla.

Credit

The pwn2own bug was reported to Mozilla by Nils via the Zero Day Initiative (ZDI). The XSLT issue was discovered on http://www.milw0rm.com/exploits/8285, credited to Guido Landi.

Sun has released JAVA 6 update 13. This release contains multiple security fixes 254569, 254570, 254571, 254608, 254609, 254610, and 254611.

Most of these are privilege escalation vulnerabilities. 254569 can allow malicious code to be executed.

At the end of my last blog entitled Understanding the Crowd: To Catch a Thief (Part I) posted on  March 23rd, I referred to a formula that Amrit Williams and I have created for assessing the likelihood of a given method of security attack’s launch over the Internet and the relative probability that an exploit will occur.

I tutored writing for three years, back in my college days, and the worst offenders were native English speakers who just didn’t care. They had another goal in life, and could not fathom how writing decent English could fit into their dreams and career goals.

More importantly, although they used spoken English more or less correctly by nature, they had no framework for understanding its nuances. Simply, they did not understand how the language functioned logically, and they saw it as an intuitive process rather than a logical and formal structure that adhered to specific rules.

Ironically, that’s what I love about language. It’s intuitive and logical, malleable yet formalized. I found it much easier to teach English language learners, who were learning English as a second or third language, because they were more capable of understanding the structure of language. They could apply the grammatical rules from their native tongue to learning English. Even when they couldn’t articulate themselves as intuitively, in some ways they understood the language better than my native speakers.

But I’m digressing a bit. Here’s a story I wish I could have used on my students back in the days of tutoring. It’s about how a simple typo can cost a fortune. When one Taco Bell accidentally charged a $150.00 bill instead of a $15.00 bill, one unfortunate family started getting overdraft charges for every expense, leading up to a $400.00 expense. Taco Bell fixed the oversight but is debating whether to cover the additional overdraft expenses, reports the Consumerist.

Personally I think the bank should do that, since the guy shouldn’t have been in overdraft. (And besides, how much can it really cost for the system to automatically draw from a different account?)

I’m sure some of my students would have refused to attribute this story to language, and instead talked about how accuracy in math and figures was far more important. However, it’s the same with language—one simple comma or word can make a sentence ambiguous and misunderstood.

It also seems like a rich field for hackers and businesses to exploit, overdrawing a little from a bank account here and a little there, or tacking on additional charges. I admit that I am guilty of not checking my bank account for typos, and I bet many other people also forget to proofread their account statements.

A report in Dark Reading last week, from the Visa Security Summit, exposed the trend of security hackers targeting small businesses. In comparison with the bigger fish, small companies can be easy pickings, since they don’t always have the same amount of time, energy, and know-how to protect their networks and machines.

The move to target small businesses doesn’t seem like anything particularly new or suprising but it is indicative of the larger trend toward targeted attacks. Security is a little like advertising, amusingly enough. In security as in ads, broad campaigns no longer work. People are getting more wary, so the advertisers and hackers have to be ever more inventive. So, advertisers are hitting niche markets that will be more open to their advertising messages. Same with security hackers: they are targeting niche groups that are less likely to be immune to exploits. They key with both is to find the target’s weakness.

And small companies have another flaw, besides their lack of resources. Since they are lower-profile, they’re more likely to feel secure in general, with the attitude, “Why would anyone attack us?” This is especially the case for new and very small businesses, or companies that are experiencing quick growth, and whose security infrastructure hasn’t caught up to the company’s actual size.

Yet from an attacker’s view, small businesses must be that sweet spot between the consumer and banks. Consumers have relatively few resources to exploit, while the bank or enterprise company who can be swindled for millions. Exploiting a small business means for an attacker that he can get a medium return, while potentially staying further under the radar than if he hit a major target and pulled in a huge amount of cash.

A problem for small business security is the scope of the PCI requirements, which target larger businesses. One tip the Dark Reading article offers is that small businesses who are primarily working online should avoid using credit card data if possible, to avoid the associated risks of data theft. Third party companies that specialized in credit card payments online can be used as a proxy to protect a small business’s transactions, and prevent them from handling and storing the data themselves.